AZL-27278

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-27278.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-27278

Upstream

CVE-2023-30589

Published

2023-07-01T00:15:10Z

Modified

2026-04-01T05:09:04.841663Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

CVE-2023-30589 affecting package nodejs for versions less than 16.20.1-2

Details

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

References

https://nvd.nist.gov/vuln/detail/CVE-2023-30589

Affected packages

Azure Linux:2 / nodejs

Package

Name: nodejs
Purl: pkg:rpm/azure-linux/nodejs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.20.1-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-27278.json"